Debian lenny CVE-2014-6271 (bash) patch

Debian lenny CVE-2014-6271 (bash) patch

Hi,

a remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some folks out here.

Debian Wheezy (and Squeeze LTS) as well as other Linux distributions have provided security upgrades already; but maybe in case you have to patch an old Debian Lenny distribution you might find it useful, that I’ve fixed and recompiled the latest official Debian Lenny bash v3.2 with the latest patches up to #52 (CVE-2014-6271).

UPDATE: #53 (CVE-2014-7169) has now been included to bash (3.2-15)!

UPDATE: I’ve recompiled this package including #54 by Florian Weimer to resolve an additional issue with clashes; like i.e.

env X='() { (a)=>\’ sh -c “echo date”; cat echo

Please update your package to version bash version 3.2-16!

You may grab the binaries here: https://4ufiles.flo.sh/bash/debian-lenny/

-Flo

7 thoughts on “Debian lenny CVE-2014-6271 (bash) patch

    1. flo Post author

      Hey Hans,

      thank you for this hint.
      I’ve recompiled bash32 once more tonight including patch level #53.

      -Flo

      1. Hans

        Thanks for the update. It still doesn’t fix all vulnerabilities I am afraid:


        $ env X='() { (a)=>\' sh -c "echo date"; cat echo
        sh: X: line 1: syntax error near unexpected token `='
        sh: X: line 1: `'
        sh: error importing function definition for `X'
        date
        Sat Sep 27 08:36:07 BST 2014

        I believe it shouldn’t show the date 😉

        This is the second vulnerability as summarised at http://arstechnica.com/security/2014/09/new-shellshock-patch-rushed-out-to-resolve-gaps-in-first-fix/

        For reference: this is based on the 3.2-15 deb package:


        $ apt-cache show bash
        Package: bash
        Essential: yes
        Status: install ok installed
        Priority: required
        Section: shells
        Installed-Size: 1232
        Maintainer: Matthias Klose
        Architecture: i386
        Version: 3.2-15

        Thanks

        1. flo Post author

          Hi Hans,

          thank you for this important notice!

          I’ve ran debian/rules clean and dpkg-buildpackage once more on the sources and now I do not get any date response:
          [23:28:49] root@roadrunner: /usr/src/bash/bash-3.2> env X='() { (a)=>\’ sh -c “echo date”; cat echo
          sh: X: line 1: syntax error near unexpected token `=’
          sh: X: line 1: `’
          sh: error importing function definition for `X’
          date
          cat: echo: No such file or directory

          Please retry again and let me know if it works now as expected for you.

          -Flo

          1. flo Post author

            Hi Hans,

            Florian Weimer has provided an additional patch for bash3.2 resolving this issue correctly. Please update your bash once more to 3.2-16.

            -Flo

    2. flo Post author

      Hi,

      please take this issue on your radar again.
      Meanwhile the following CVEs have been patched: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 and exploit 3 on http://shellshocker.net/ (remark: adding all bash32 bugfixed up to #57).

      I’ve updated the binaries to bash (3.2-17)…

      -Flo

Leave a Reply

Your email address will not be published. Required fields are marked *

css.php